Skip to content

[Backend] Weak default JWT secret in auth.config.ts #656

Description

@llinsss

Location: backend/src/config/auth.config.ts (around line 6)

Problem:
The JWT secret falls back to a hardcoded default ('your-secret-key-min-32-chars-change-in-production') when JWT_SECRET is not set in the environment. If this is ever deployed without the env var explicitly configured, every token can be forged by anyone who reads the source code.

Why it matters:
This is a critical authentication bypass risk — any environment that forgets to set JWT_SECRET is fully compromised.

Suggested fix:

  • Throw on startup (fail fast) if JWT_SECRET is not set, instead of silently falling back to a weak default.
  • Add a startup validation step (e.g. in main.ts or a config validation schema) that checks secret length/entropy.

Acceptance criteria:

  • App refuses to boot without a properly configured JWT_SECRET.
  • A test covers the failure case.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions